←back to thread

Tailscale raises $100M

(tailscale.com)
854 points gmemstr | 8 comments | 04 May 22 13:17 UTC | HN request time: 0.001s | source | bottom
Show context
boesboes ◴[04 May 22 13:43 UTC] No.31260274[source]
For anyone else who wonders wtf tailscale is:

> Tailscale is a VPN service that makes the devices and applications you own accessible anywhere in the world, securely and effortlessly. It enables encrypted point-to-point connections using the open source WireGuard protocol, which means only devices on your private network can communicate with each other.

It seems to take care of key distribution, nat-traversal, authentication etc etc

Neat! No sure how that is 'fixing internet' exactly, but really cool anyway

replies(8): >>31260403 #>>31260446 #>>31260650 #>>31260654 #>>31260970 #>>31261908 #>>31268396 #>>31268813 #
yrro ◴[04 May 22 13:55 UTC] No.31260446[source]
Tailscale is one of the ways you can restore the end-to-end connectivity principle that IP introduced and that NAT destroyed.
replies(2): >>31260512 #>>31261439 #
legalcorrection ◴[04 May 22 13:59 UTC] No.31260512[source]
This is kind of overstated. Even if everyone went IPv6 and gave every device a public IP address, pretty much every network would have a firewall that behaved just like NAT.
replies(4): >>31260541 #>>31260693 #>>31260790 #>>31262162 #
1. Spivak ◴[04 May 22 14:01 UTC] No.31260541[source]
Yeah, no one is going to allow unsolicited inbound connections even without NAT so you still have to have something to hook up the two ends in a P2P setting.
replies(1): >>31260919 #
2. throw0101a ◴[04 May 22 14:26 UTC] No.31260919[source]
> Yeah, no one is going to allow unsolicited inbound connections even without NAT so you still have to have something to hook up the two ends in a P2P setting.

Sure they are. All home routers that I'm aware of allow for port forwarding so folks can self-host a service: perhaps a game server (e.g., Minecraft), web, e-mail, etc.

It's just going forward you can set up a separate subnet to put your gear in (especially if you get multiple /64 subnets from your ISP). You can have a DMZ, and use either the router- and/or host-level firewall to dictate which connections are allowed.

replies(2): >>31261261 #>>31263755 #
3. zinekeller ◴[04 May 22 14:50 UTC] No.31261261[source]
... if your definition of "home routers" excludes ISP-provided ones, then I'll agree. Unfortunately, I'm pretty sure that either you are on an ISP that actually cared and found a good supplier or didn't check out what are the capabilities of ISP-provided routers.
replies(2): >>31262101 #>>31264973 #
4. dsr_ ◴[04 May 22 15:45 UTC] No.31262101{3}[source]
Of the three ISPs in my area that I have used, all of them allowed inbound traffic and either had useful controls in their routers or didn't supply a router, just an ethernet handoff. RCN, Comcast, Verizon.

All of them filtered out the SMB/CIFS ports.

Two of them filtered outbound port 25; one of them was willing to open it with the additional cost of a static IP.

replies(1): >>31262158 #
5. zinekeller ◴[04 May 22 15:51 UTC] No.31262158{4}[source]
Yeah, it's inconsistent to be honest. I've found that Hitron to not have any sort of firewalls (except for IPv4 NAT if you consider it as a firewall), while Huawei routers (which is not used in the US for reasons hopefully known to you) do have an IPv6 firewall that is only an off or on switch, stupidly their enterprise stuff do have advanced controls, Alcatel/Nokia-branded ones are inconsistent to say the least and the same can be said for Zyxel. I'm actually interested in checking out other routers used by ISPs, but those are the ones I've actually seen.
6. legalcorrection ◴[04 May 22 17:58 UTC] No.31263755[source]
The point is for the user to not have to go configure their firewall.
replies(1): >>31264872 #
7. throw0101a ◴[04 May 22 19:41 UTC] No.31264872{3}[source]
Which can be done via UPnP and PCP, and without having to maintain TURN/STUN/etc infrastructure. The latter of which can only be done with IPv6, since with IPv4 you're NATing.

So IPv6 makes things easier—which was the point of my post: IPv6 makes things easier.

8. throw0101a ◴[04 May 22 19:51 UTC] No.31264973{3}[source]
With IPv4 I have to worry about UPnP/PCP working and TURN/STUN/etc non-sense when it comes to peer-to-peer protocols. With IPv6 I only have to worry about about UPnP/PCP working. In my books that's an improvement.

If I want to self-host something, then with IPv4 I have publish my IP and worry about the CPE supporting port forwarding. With IPv6 I have publish my IP and use UPnP/PCP to allow all connections. Is there any CPE gear that does not support UPnP/PCP?